Professional Documents
Culture Documents
Corporate Governance: 2. A. Internal Control System
Corporate Governance: 2. A. Internal Control System
Corporate Governance: 2. A. Internal Control System
Exhibit 99.1
Report of the Chairman of the Board of Directors as presented in the French-language document de référence
(Section L. 225-37 of the French Commercial Code)
In preparing this report, the Chairman consulted the Executive Vice President Chief Financial Officer and the Senior Vice
President Audit and Internal Control Assessment.
The Board of Directors was informed of the conclusions of the specialist committees and of the Statutory Auditors, and has
approved this Chairman’s report.
1. Corporate Governance
Corporate governance is discussed in the French-language document de référence in section “1.2. Gouvernement d’entreprise”.
The COSO framework, adopted because sanofi-aventis is listed on the U.S. stock market and to comply with SOA 404, is regarded
by the Autorité des Marchés Financiers (AMF), the French market regulator, as equivalent to the AMF reference framework.
Internal control is a management tool developed and implemented by the Group’s senior management, middle management and
staff with the aim of providing directors, corporate officers and shareholders with reasonable assurance that the following objectives are
met:
• reliability of accounting and financial information;
• effectiveness and efficiency in the conduct of operations;
• compliance with applicable laws and regulations;
• safeguarding of corporate assets.
An internal control system can only give reasonable assurance, and can never give absolute assurance, that these objectives are met. The
probability of meeting these objectives is subject to the limitations inherent in all internal control systems, including the possibility of defective
judgment in decision-making, the need for cost/benefit analysis before implementing controls, and the risk of deficiencies caused by human
failings or mere error.
2. A.c. Organization, formalization and assessment procedure for internal control over financial reporting
In 2004, to comply with legal requirements on internal control in both France and the United States, sanofi-aventis created a dedicated
Internal Control Assessment Department reporting to the Audit and Internal Control Assessment Department.
Capitalizing on the Group’s existing internal control system, this department developed a methodology to comply with Sarbanes-Oxley
Act Section 404 (SOA 404), with the objective of assessing and improving the effectiveness of internal control over the production of financial
statements. This methodology applies to Group activities in proportion to their contribution to the consolidated financial statements and their
risk profile, and provides a consistent basis for identifying, consolidating and rating identified internal control deficiencies in financial
processes. The system applies a top-down, risk-based approach tailored to available resources, defined at Group level and implemented locally,
in accordance with the recommendations published by the U.S. Securities and Exchange Commission (SEC) in June 2007.
To ensure the necessary degree of acceptance and implementation of this methodology for the assessment of internal control over
financial processes, the Internal Control Assessment Department:
• defines the assessment methodology and establishes timetables;
• ensures that risks relating to financial information are covered in accordance with the reasonable assurance principle;
• accompanies the internal control assessment network members through dedicated communications and support;
• assesses the effectiveness of internal control over the production of financial statements;
• coordinates this process with the statutory auditors.
The “Report of Management on Internal Control Over Financial Reporting” pursuant to SOA 404 is presented in Item 15 of the Annual
Report on Form 20-F for the year ended December 31, 2010.
2. B. Control environment
The control environment is a key factor in establishing the internal control system, and is the cornerstone of all other COSO internal
control components. It refers to the degree of awareness Group staff have of internal control, and is implemented via standards presented in the
form of codes, procedures and charters posted on the Group’s intranet.
2. B.a. Codes
Group Code of Ethics
The sanofi-aventis Code of Ethics, along with the Group’s values, represents the core framework to which every employee must refer,
wherever he/she works and whatever his/her responsibilities. It is communicated to every newcomer. Deployment of the code is coordinated
centrally by the Global Compliance Department, and locally by the Compliance Officer network. An e-learning program is available on the
Group’s intranet to help employees understand the main rules and principles of the code.
Anti-corruption is a key focus of this program. Employee awareness of anti-corruption issues is being raised by the distribution of
guidelines and videos, an online training module, and Group-wide presentations on the subject.
Code of Financial Ethics
In accordance with U.S. securities law, sanofi-aventis has adopted a Code of Financial Ethics that applies to the Chief Executive Officer,
the Executive Vice-President Chief Financial Officer and the Vice-President Corporate Accounting. The Chief Financial Officers of Group
entities are also required to sign up to the code in recognition of their adherence to its principles.
Code of Conduct: Prevention of Insider Dealing
As a result of the dual listing of sanofi-aventis in France and in the United States, both French and U.S. rules apply. Other countries’ rules
may also apply given that the Group’s shares are owned by individuals located in different countries. This code is intended to promote ethical
conduct among sanofi-aventis employees. It provides background information and familiarizes employees with insider dealing rules under
French and U.S. law, including rules relating to confidentiality of information obtained in the course of their employment.
Code of Internal Control Principles
In 2008, the Internal Control Assessment Department published a Code of Internal Control Principles in order to improve the
effectiveness of processes and the reliability of the financial statements, and to enhance legal and regulatory compliance. This
2
Page 1 of 2
code sets out the key principles of governance and internal control, unifying action taken by the Group to implement internal control
and improve its effectiveness. Internal control teams at newly-acquired entities receive a copy and are given a presentation about the
code as part of their induction program.
2. B.b. Charters
Sanofi-aventis has provided all employees with charters that structure and promote the internal control environment. The main
charters available are:
• the information systems usage charter, describing the principal risks to which the Group’s information systems are exposed
and establishing rules governing the use of information technology (IT) resources;
• the personal data protection charter, underscoring the Group’s commitment to respecting privacy and protecting data of a
personal nature;
• the social charter, reflecting the Group’s commitment to corporate social responsibility and incorporating the principles of
the United Nations Global Compact on Labor, which sanofi-aventis is committed to follow;
• the ethical charter for purchasing, provided to all Group employees involved regularly or occasionally in purchasing
activities, and describing the conduct to be adopted by sanofi-aventis employees when carrying out their duties.
Sanofi-aventis applies many other internal standards derived from these external standards, adapted to the specific processes
carried out by each entity, thereby contributing to internal control.
For a description of the main risks relating to activities in the pharmaceutical sector and financial risks, refer to “Item 3. Key
Information — D. Risk Factors” of the Annual Report on Form-20F. These factors include, without limitation:
• risks relating to legal matters;
• risks relating to our business;
• environmental risks of our industrial activities;
• risks related to financial markets; and
• other risks.
2. C.a. Bodies responsible for identifying, assessing and managing risks and opportunities
The Group’s organizational structure is geared to managing the risks and opportunities associated with the activities of sanofi-
aventis. The corporate, operational and support teams involved in internal control contribute to the overall risk control system by
conducting control processes within their area of responsibility.
The main committees in charge of identifying, assessing and managing risks and opportunities are the Executive Committee and
the Management Committee. Their members rely on their experience to anticipate risks and opportunities arising from developments
in the pharmaceutical sector. Other committees within the Group’s operations monitor their specific risks and opportunities using a
transverse approach involving internal and external partners.
At the end of 2010, as part of the transformation program, the Chief Executive Officer took the decision to establish a Group-
level Risk Committee. This committee is coordinated by the Senior Vice President Corporate Social Responsibility and the Senior
Vice President Audit and Internal Control Assessment, and reports to the Executive Committee. Its role will be to lead and promote
the evaluation and management of strategic and operational risks across all of the Group’s activities.
Page 2 of 2
• Executive Committee
The Executive Committee, chaired by the Chief Executive Officer, is a select group of key executives who meet on a regular
basis in order to facilitate rapid decision-making. It implements the Group’s overall strategy and oversees arbitration between
departments and allocates resources, in furtherance of its high-level management role and the objective of transforming sanofi-aventis
into a global, diversified, patient-centered leader in healthcare. The composition of the Executive Committee is available in “Item 6.
Directors, Senior Management and Employees — A. Directors and Senior Management” of the Annual Report on Form 20-F. Other
attendees may be invited depending on the subjects addressed.
3
Page 1 of 1
• Management Committee
The Management Committee is also chaired by the Chief Executive Officer. It reviews ongoing group operations, and is a forum for
exchanging ideas and information between functions and for coordinating transversal projects across the organization.
This methodology takes into account new risks related to changes in the organizational model and to acquisitions arising as a result
of the transformation program.
The approach relies on a methodology developed by the Internal Control Assessment Department. This methodology covers the five
COSO components, and comprises:
• a reference framework of processes used in the preparation and processing of financial and accounting information;
• a reference framework of financial risks (including fraud), structured to enable assessments to be conducted at all levels of the
Group;
• a group evaluation tool comprising three reference frameworks applying at different organizational levels, designed to produce
an assessment at Group level while adapting the workload to identified risks. Using these frameworks, each entity in the scope
can assess its capacity to control risks and identify any deficiency in its internal control system.
This methodology relies on processes of identifying, monitoring and reporting financial risks. The dedicated internal control
assessment teams are responsible for providing reasonable assurance that financial risks are properly controlled, and for notifying the
Group of any residual deficiencies in internal control.
The approach to identifying, assessing and managing financial risks integrates the periodic update of the methodology.
A Rating Committee conducts an annual assessment of internal control and financial risks, designed to assess the materiality and
probability of occurrence of each identified financial risk. This committee notifies the Audit Committee of any residual risks that might
have a significant or material impact on the published financial statements, thereby undermining the reliability of the Group’s financial
reporting. This committee comprises the Executive Vice President Chief Financial Officer, the Senior Vice President Audit and Internal
Control Assessment, the Vice President Corporate Accounting, the Vice President Information Systems, and the Head of Internal Control
Assessment.
In addition, the Internal Control Assessment Department encourages the sharing of good practice in fraud prevention and detection,
and supports subsidiaries in their anti-fraud activities in coordination with the Finance, Legal Affairs and Human Resources departments.
2. C.d. Identifying, assessing and managing risks relating to activities in the pharmaceutical sector
The process of identifying, assessing and managing risks relating to activities in the pharmaceutical sector is the responsibility of:
• the Chief Medical Officer (a position created in 2009), who supervises the Pharmacovigilance and Epidemiology Department;
• the following departments:
• Global Quality, which coordinates quality policy across the entire Group;
• Legal Affairs, in particular as regards obtaining or enforcing patent rights and other industrial property rights;
• Health, Safety and Environment, which has departments in each business line and on each site, working on the basis of
an internal framework;
• Insurance, which among other things provides Group entities with advice and risk prevention support;
4
Page 1 of 1
• Corporate Economic Security, responsible for protecting the Group’s workforce and tangible and intellectual property.
The Group also has a crisis management procedure designed to anticipate, as far as possible, the potential emergence of crises, via
management principles and early warning systems covering all Group activities.
Control activities relating specifically to the financial statements preparation process rely on operational processes encompassing sales
administration, purchasing, production processes and inventory management, human resources, information systems, and the monitoring of
legal affairs, all of which contribute to the production of financial and accounting information. Control activities identified in all of these
processes are included in the scope of the assessment conducted under SOA 404.
The Internal Control Assessment Department supports newly-acquired entities as they gradually deploy the methodology used to assess
the effectiveness of internal control over financial processes.
The Group Finance Department is structured so as to enable it to carry out its various duties (preparing individual and consolidated
financial statements, accounting standards, controlling, financing and treasury, tax, and investor relations). As part of its unifying role within
the Group, the Group Finance Department coordinates and oversees local finance departments for the purposes of the preparation and
publication of the Group’s financial statements. Accounts committees, which are responsible for reviewing the tax, legal, treasury and
financing aspects of Group entities and validating the application of Group accounting policies, meet annually on the basis of the accounts as
of end September. Their objective is to review the accounts of Group entities in anticipation of the preparation of the Group’s annual
consolidated financial statements and the individual financial statements of Group companies.
A Treasury Committee, chaired by the Vice President Financing and Treasury, meets monthly to review strategies on financing and
investment and on the hedging of interest rate risk, currency risk, banking counterparty risk and liquidity risk.
5
Page 1 of 1
Under Section 302 of the Sarbanes-Oxley Act, the Chief Executive Officer and the Vice-President Chief Financial Officer are required to
carry out an evaluation of the effectiveness of the Group’s control over published financial information and fraud. To this end, they push down
responsibility to local level. Representation letters are signed-off twice a year by the Chief Executive Officers and Chief Financial Officers of
Group entities to confirm this cascaded responsibility.
This process also gives the Group Finance Department an opportunity to highlight the importance of preventing and detecting fraud.
In accordance with the publications and recommendations issued by the AMF in 2010:
• The roles and responsibilities, the composition and the operation of the Audit Committee are defined in the internal rules of the
Board of Directors, and are consistent with the AMF report on audit committees published in 2010.
• The internal rules of the Board of Directors, as updated and approved by the Board in 2010, specify that the Audit Committee is
responsible for monitoring:
• the process of preparing financial information;
• the effectiveness of internal control and risk management systems;
• the audit of the individual and consolidated financial statements by the statutory auditors;
• the independence of the statutory auditors.
6
Page 1 of 1
The Audit Committee is informed periodically and on request about the process used to identify, assess and manage the
principal risks to which the Group is exposed.
The Group has a decentralized structure based on stand-alone units, which means that the business can be broken down into key
divisions. This gives genuine autonomy and decision-making power to the front line, while strategic decisions are made centrally. As
part of its duties, operational management is required to disseminate these rules, check that they are applied, and alert executive
committee if any adjustments are necessary.
The Committee has implemented a process of reporting information to the Committee’s secretary to ensure that the Committee
is kept informed of any significant event liable to impact the share price. The secretary then consults Committee members to
determine what approach to adopt as far as informing the public is concerned.
2. F.e. Audits
Various types of audit are in place, covering all Group companies.
The roles and responsibilities of the Internal Audit and Information Systems Audit functions are described in a charter, available
on the Group’s intranet.
The Internal Audit function is independent and objective, reporting to the Chief Executive Officer. It has neither authority over
nor responsibility for the operations it reviews, and has complete freedom of action. Internal Audit is responsible for providing senior
management, and the Board of Directors via the Audit Committee, with reasonable assurance about the level of control over risks
associated with operations within the Group and about the effectiveness of internal control. The Audit Committee is periodically
informed about the results of internal audit activities, the implementation status of internal audit recommendations, the annual audit
plan, and related resource needs.
The sanofi-aventis Internal Audit function is certified by IFACI (the French Institute of Internal Audit and Internal Control),
indicating that it operates to international professional standards.
The Information Systems Audit function is completely independent of the Group Information Systems Department. It is
organized along similar lines to the Group Internal Audit function, but conducts its assignments using a methodology specific to
information systems audit.
The Internal Audit and Information Systems Audit functions are under the authority of the Audit and Internal Control
Assessment Department.
The Quality Assurance departments embedded in the Group’s support functions and business lines conduct regular audits to
assess good practice and obtain assurance as to compliance with procedures and regulations on quality issues.
7